Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include advisory source in new security advisory commits #451

Open
Ocramius opened this issue Nov 15, 2021 · 2 comments · May be fixed by #459
Open

Include advisory source in new security advisory commits #451

Ocramius opened this issue Nov 15, 2021 · 2 comments · May be fixed by #459
Labels
enhancement help wanted

Comments

@Ocramius
Copy link
Member

One regular source of support questions is "why is some/library:1.2.3 included in the roave/security-advisories conflicts section?"

This is becoming regular and quite frustrating:

We probably do want to start committing the source of an advisory.

Specifically, we need to add a Source (value object with a URI in it, basically) to Advisory:

SecurityAdvisoriesBuilder/src/Roave/SecurityAdvisories/Advisory.php

Lines 33 to 46 in 0246933

/** @psalm-immutable */
final class Advisory
{
public PackageName $package;
/** @var list<VersionConstraint> */
private array $branchConstraints;
/** @param list<VersionConstraint> $branchConstraints */
private function __construct(PackageName $package, array $branchConstraints)
{
$this->package = $package;
$this->branchConstraints = $this->sortVersionConstraints($branchConstraints);
}

After doing that comes the tricky part: we need to identify which advisories were not considered as part of the pre-existing composer.json.

For that, we need to:

  1. read the pre-existing composer.json into an usable in-memory data structure
  2. compare each of the Advisory instances against it
  3. isolate those Advisory instances that would lead to a change of the excluded (data structure above?)
  4. add these Advisory instances to a list that is then used to determine the commit message to be generated
  5. generate the new commit message, which is currently hardcoded:

    SecurityAdvisoriesBuilder/build-conflicts.php

    Lines 247 to 275 in 14a83da

    $commitComposerJson = static function (string $composerJsonPath) use ($execute): void {
    $parseHead =
    /** @psalm-return non-empty-list<string> */
    static function () use ($execute): array {
    return $execute('git rev-parse HEAD');
    };
    $originalHash = runInPath(
    $parseHead,
    dirname($composerJsonPath) . '/../security-advisories'
    );
    runInPath(
    static function () use ($composerJsonPath, $originalHash, $execute): void {
    $execute('git add ' . escapeshellarg(realpath($composerJsonPath)));
    $message = sprintf(
    'Committing generated "composer.json" file as per "%s"',
    (new DateTime('now', new DateTimeZone('UTC')))->format(DateTime::W3C)
    );
    $message .= "\n" . sprintf(
    'Original commit: "%s"',
    'https://github.com/FriendsOfPHP/security-advisories/commit/' . $originalHash[0]
    );
    $execute('git diff-index --quiet HEAD || git commit -m ' . escapeshellarg($message));
    },
    dirname($composerJsonPath)
    );
    };
Ocramius referenced this issue in Roave/SecurityAdvisories Nov 17, 2021
@Ocramius
Committing generated "composer.json" file as per "2021-11-17T00:48:00…
f08ee6e 
…+00:00"

Original commit: "FriendsOfPHP/security-advisories@2c1108e"
@Ocramius Ocramius mentioned this issue Nov 18, 2021
Closed
@slash3b
Copy link
Contributor

slash3b commented Nov 20, 2021

Locally, I've just deleted some of packages from the "old" version and do comparison of newly generated composer.json to the old one. So this way we will have a a list of packages that are not in the old composer.json version.

Please check example below. Is this what we need ?

/usr/bin/php /home/slash3b/Projects/php/SecurityAdvisoriesBuilder/build-conflicts.php
Committing generated "composer.json" file as per "2021-11-20T22:33:36+00:00"
Original commit: "https://github.com/FriendsOfPHP/security-advisories/commit/486a92e290b38e5f01f0075c3919a5d251960671"

Added advisories:
   Package name: "alterphp/easyadmin-extension-bundle"
   Summary: "Action case insensitivity"
   URI: "https://github.com/alterphp/EasyAdminExtensionBundle/releases/tag/v1.3.1"

   Package name: "3f/pygmentize"
   Summary: "Remote Code Execution"
   URI: "https://github.com/dedalozzo/pygmentize/issues/1"

   Package name: "adodb/adodb-php"
   Summary: "XSS vulnerability in old test script"
   URI: "https://github.com/ADOdb/ADOdb/issues/274"

   Package name: "adodb/adodb-php"
   Summary: "Potential SQL injection vector"
   URI: "https://github.com/ADOdb/ADOdb/pull/401"

   Package name: "akaunting/akaunting"
   Summary: "Malicious password-reset in Akaunting"
   URI: "https://github.com/advisories/GHSA-246r-r2wf-frhx"

@Ocramius
Copy link
Member Author

That seems exactly like what we're trying to achieve here, yes 👍

@Ocramius Ocramius linked a pull request Nov 23, 2021 that will close this issue
Open
@Ocramius Ocramius mentioned this issue Jan 11, 2022
Closed
@Ocramius Ocramius mentioned this issue Apr 13, 2022
Closed
@Ocramius Ocramius mentioned this issue Sep 22, 2022
Closed
Ocramius referenced this issue in Roave/SecurityAdvisories Feb 2, 2024
@Ocramius
Committing generated "composer.json" file as per "2024-02-01T20:04:27…
b44b25c 
…+00:00"

Original commit: "FriendsOfPHP/security-advisories@e14352c"
@Ocramius Ocramius mentioned this issue Feb 8, 2024
Closed
@Ocramius Ocramius mentioned this issue Feb 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issues/451 Add advisory information to a commit messages slash3b/SecurityAdvisoriesBuilder
2 participants
@Ocramius @slash3b